On Sat, 24 Sep 2022 11:49:05 +0800 Liu Shixin <liushixin2@xxxxxxxxxx> wrote: > The vma_lock and hugetlb_fault_mutex are dropped before handling > userfault and reacquire them again after handle_userfault(), but > reacquire the vma_lock could lead to UAF[1,2] due to the following > race, > > hugetlb_fault > hugetlb_no_page > /*unlock vma_lock */ > hugetlb_handle_userfault > handle_userfault > /* unlock mm->mmap_lock*/ > vm_mmap_pgoff > do_mmap > mmap_region > munmap_vma_range > /* clean old vma */ > /* lock vma_lock again <--- UAF */ > /* unlock vma_lock */ > > Since the vma_lock will unlock immediately after hugetlb_handle_userfault(), > let's drop the unneeded lock and unlock in hugetlb_handle_userfault() to fix > the issue. > Thanks. Turns out that porting all the pending material on top of this change was not a confidence-inspiring activity. So I ended up merging your v3. Please work with Greg on the backporting when he gets on to it? Hopefully that will merely involve sending him this v4.
